We have a server running Win Server 2003 SP1 with IIS 6. The server runs three websites of which only one needs to be secured. However, adding HTTPS in front of any of the others redirects the user to the secured website.
From my reading I can see it's because pre SP1 SSL worked based on IP addresses only whereas post SP1 it is possible to configure it for host headers using some scripts. That's all great.
What I need to know is what the final requirements be if I have the following for my applications:
http://www.site1.com - SSL not required, but if the user types in https://www.site1.com it should not redirect to https://app.site1.com
http://www.site2.com - SSL not required, same as 1.
http://app.site1.com - SSL required.
Questions
Do I need to purchase 2 wildcard certificates for this configuration. One for *.site1.com and one for *.site2.com?
If I do get two wildcard certificates do I configure each of the sites to use them and assume that the user can choose to view https://www.site1.com can do so without being redirected
There are a number of similar questions on Stack, but not quite the same requirements. See
Hosting multiple sites in IIS 6, one need SSL
Edit
Microsoft's Recommendation on IIS6 and Wildcard certificates
I found a link where Microsoft explains more about using Wildcard certificates to configure the scenario I have described: https://web.archive.org/web/20161114165638/https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true
Note: We are definitely having the scenario where if the user browses to https://www.site1.com the browser displays the exception (which is correct) but then after accepting the exception they're being redirected to https://app.site1.com.
If you need to secure only http://app.site1.com then you don’t need to buy wildcard ssl certificate. You can simply secure your website using domain SSL Certificate. (Recommended SSL: RapidSSL Certificate, Thawte SSL123, QuickSSL Premium)
Suppose your all three websites are hosted on same IP address.
When user type https://www.site1.com then he will not redirect to your https://app.site1.com but visitor will get domain mismatch error in his browser because of same IP address.
Wildcard SSL can only secure your primary domain plus unlimited sub domain for that primary domain name.
Example: site1.com, www.site1.com, mail.site1.com, blog.site1.com
If you want to secure *site1.com and *.site2.com then you should go with Multi Domain SSL Certificate instead of Wildcard ssl certificate.
Related
There are two domain names:
1.one long (example: MaryJaneFamily.com)
2.one short (MaryJane.com).
The 301 redirect works correctly from EXISTING links from various web sites (from when the site had no ssl).
The redirect domain name appears but gives a "insecure site" warning and it appears as https://MaryJane.com.
The primary domain name does not show up in google listings at all.
I have validated the full domain name with google and provided a new sitemap to google.
The sitemap submission is not showing any errors. DNS for primary domain name shows it is fully propagated.
The link that appears in google is not the primary domain but the forwarded domain name with an "s" added to the http - selecting that link brings to you a "insecure site" warning screen.
What am I doing wrong?
It appear that your SSL certificat is maybe not valid or generated and auto-signed by your server. You have to use a SSL certificate certified by high autority trusted domain. A lot of hosting services can sell you a validated and trusted SSL certificate, or some companies like CloudFlare can give you for free (with some other protections and services like CDN, DDoS protect, firewall...etc).
If you want to do it yourself, you can use Let's encrypt to make your own trusted certificate (remember that you will have to renew this all 3 months but you can easily automate it).
Well, you can read this guide to know more about SSL certificates and which you sould use.
I hope it will help.
Is there a "return 301" for forced SSL in your sites config? If you don't force SSL then you will receive both secure and insecure ports.
Here is my situation:
I own and control coolwebsite.com
Many websites have a CNAME entry pointing to coolwebsite.com
For example, lamewebsite.com CNAME's a.lamewebsite.com to coolwebsite.com
There are about 50 of these other websites that point to mine, none of which I can control easily
How can I get an SSL certificate that will work with these CNAME's?
There are about 50 of these other websites that point to mine, none of which I can control easily
If you have no control over these web sites or their DNS settings than you should not be able to get a certificate for these. If this would be possible than it would be a serious security issue.
This appears to be a shared hosting kind of setup where you host the websites for clients and allow them to point their own domains to your server and use SNI or host header to serve a correct website based on domain used in the request.
More information like is above correct, where you're getting your TLS certs from, do you want to use single cert to cover everything or a cert per domain would be useful, but in general you can get a certificate with multiple Subject Alternative Names for different domain names/sites.
E.g. if you're using Let's Encrypt, with Domain Validation, you don't need control over domain's DNS, only over content served from that domain. And if people point their aliases (CNAMEs) to your web server then you already have it.
My main site https://example.com has an SSL cert, no problem.
Now, I have developped a related application, that is hosted on a completely different server, and under : app.example.com. It has a dedicated IP.
The app uses websockets and needs SSL to function properly acros all devices. But I'm having trouble finding out how to register a new certificate for a subdomain... What's the strategy here? Should I have a wildcard cert on the main server, and somehow redirect from there? In that case, the app server wouldn't have access to the cert, and I wouldn't be able to create my secure socket connection, right?
The certificate has to be installed where the server which provides content using this certificate. This means
That the certificate for the subdomain has to be used on all servers which serve the subdomain, i.e. your websocket server.
And nowhere else, i.e. it is not needed at the main domain just to provide a redirect from the main domain away.
You are free to use any certificate which matches the subdomain, that is it can be a wildcard certificate but can also be specific for only this domain.
You can go for a wild card certificate and bind it to all the URL's who share the same domain. But keep in mind, the wildcard certificates (irrespective of any brands) supports unlimited first level sub domains .
Wild card certificates can be installed on any server where the FQDN is hosted. In situations where the the sub domains are hosted on multiple servers, the wildcard certificate will work for all of them.
I am having a bit of trouble understanding how many ssl certificates I should get under specific conditions:
I have two pages the user is supposed to use (index and main) and all other scripts users don't access in the front end (e.g. uploadFile.php).
I have socket.io implemented in port x which I want to run over https protocol.
How many ssl certificates should I get under these conditions to assure secure data traffic? (is the data from all other php scripts still secure if index and main have ssl?)
SSL cert is issued for a specific DNS name. So if you run your PHP and Socket.io applications on the same domain, one cert is surely enough to secure both.
If you run your app on two different domains, you need to (a) use two separate regular certificates, or (b) have one SAN certificate (it secures multiple DNS names).
Also there is a wildcard certificate, it secures all direct subdomains of specified domain (*.some-site.com). It can be combined with SAN feature, so it can secure base domain some-site.com and direct subdomains as well.
IF your website is accessed via different website on https , then your website and the website through which its accessed needs to have their separate SSL certificate.
If your website does not have an ssl certificate , the connection will be dropped when your website link is accessed via other website.
We would like to setup an application on Windows Azure at abc.cloudapp.net which would have a CNAME record for www.mydomain.com pointing to it and then allow clients to do the same. Our application would then look at the requested URL and then pull out relevant data based on the requested domain (abc.theirdomain.com or www.theirotherdomain.com).
Our initial tests show that this should work, however the problem lies in that we need the site to be secure. So we'd like clients to be able to setup shared SSL certs with us that we would upload to our Azure subscription that then allowed them to create a CNAME record (abc.theirdomain.com or www.theirotherdomain.com) that points to either www.mydomain.com or abc.cloudapp.net.
Is this possible?
Edit: I'm not sure if this is the same question as Azure web role - Multiple ssl certs pointing to a single endpoint.
We've used a multi-domain certificate in this situation - see http://www.comodo.com/business-security/digital-certificates/multi-domain-ssl.php for details. This will work for up to 100 different top-level domains.
The problem with a multi-domain certificate is that it is more expensive than a "normal" certificate and that every time you add a new domain, you will have to deploy a new package with the updated certificate.
On the other hand, you could have multiple SSL certificates (one for each domain) and then the answer you seek is here Azure web role - Multiple ssl certs pointing to a single endpoint.
No, I don't think your setup would be possible with a single SSL cert. In general, SSL certs are tied to the hostname (e.g. foo.domain.com and foo.domain2.com need different certs). However, you can purchase a wildcard SSL cert that will help if you use the same root domain, but different subdomains (e.g. foo.domain.com and foo2.domain.com can share a wildcard cert).
So, in your case, since you are allowing different root domains, then you need a different SSL cert for each. If instead you choose to allow different sub-domains on same root domain, you can get away with the wildcard cert.